stellarwp — Vulnerabilities & Security Advisories 115

Browse all 115 CVE security advisories affecting stellarwp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

StellarWP primarily develops and maintains premium WordPress plugins, including the popular MemberPress platform for membership management and subscription billing. Historically, its software has been associated with a significant volume of Common Vulnerabilities and Exposures, totaling 115 recorded instances. These security issues predominantly involve cross-site scripting (XSS), SQL injection, and arbitrary file upload flaws, often stemming from insufficient input validation and weak access controls within plugin code. While the company generally responds to disclosed vulnerabilities, the high frequency of patches indicates persistent challenges in secure coding practices. Notable incidents include multiple remote code execution (RCE) vectors that allowed attackers to compromise WordPress installations without authentication. The sheer number of CVEs suggests that while the products are widely used, their security posture has frequently lagged behind industry standards, requiring users to prioritize timely updates and rigorous security auditing to mitigate risks associated with these historically common vulnerability classes.

Top products by stellarwp: GiveWP – Donation Plugin and Fundraising Platform Kadence Blocks — Page Builder Toolkit for Gutenberg Editor The Events Calendar GiveWP Membership Plugin – Restrict Content LearnDash LMS Event Tickets and Registration Gutenberg Blocks by Kadence Blocks WPComplete Kadence WooCommerce Email Designer Event Tickets Bookit — Booking & Appointment Calendar Restrict Content LearnDash LMS – Reports Give – Divi Donation Modules Virtue iThemes Sync Image Widget

CVEs 115

CVE ID	Title	CVSS	Severity	Published
CVE-2025-11227	GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns Disclosure — GiveWP – Donation Plugin and Fundraising PlatformCWE-285	6.5	Medium	2025-10-04
CVE-2025-58974	WordPress WPComplete Plugin <= 2.9.5.2 - Cross Site Scripting (XSS) Vulnerability — WPCompleteCWE-79	6.5	Medium	2025-09-22
CVE-2025-9808	The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure — The Events CalendarCWE-200	5.3	Medium	2025-09-16
CVE-2025-9807	The Events Calendar <= 6.15.1 - Unauthenticated SQL Injection — The Events CalendarCWE-89	7.5	High	2025-09-12
CVE-2025-7221	GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Missing Authorization to Donation Update — GiveWP – Donation Plugin and Fundraising PlatformCWE-285	4.3	Medium	2025-08-21
CVE-2025-54697	WordPress Kadence WooCommerce Email Designer Plugin <= 1.5.16 - Privilege Escalation Vulnerability — Kadence WooCommerce Email DesignerCWE-266	7.2	High	2025-08-14
CVE-2025-8620	GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0 - Unauthenticated Donor Data Exposure — GiveWP – Donation Plugin and Fundraising PlatformCWE-200	5.3	Medium	2025-08-06
CVE-2025-7205	GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting — GiveWP – Donation Plugin and Fundraising PlatformCWE-79	5.4	Medium	2025-07-31
CVE-2025-5678	Kadence Blocks – Gutenberg Blocks for Page Builder Features <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-79	6.4	Medium	2025-07-09
CVE-2025-50046	WordPress WPComplete plugin <= 2.9.5 - Cross Site Scripting (XSS) Vulnerability — WPCompleteCWE-79	6.5	Medium	2025-06-20
CVE-2025-4571	GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification — GiveWP – Donation Plugin and Fundraising PlatformCWE-862	5.4	Medium	2025-06-19
CVE-2025-5144	The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting — The Events CalendarCWE-79	6.4	Medium	2025-06-11
CVE-2025-48246	WordPress The Events Calendar plugin <= 6.11.2.1 - Broken Access Control Vulnerability — The Events CalendarCWE-862	5.4	Medium	2025-05-19
CVE-2025-39557	WordPress Kadence WooCommerce Email Designer plugin <= 1.5.14 - Arbitrary File Upload vulnerability — Kadence WooCommerce Email DesignerCWE-434	9.1	Critical	2025-04-16
CVE-2025-30794	WordPress Event Tickets plugin <= 5.20.0 - Reflected Cross Site Scripting (XSS) vulnerability — Event TicketsCWE-79	7.1	High	2025-04-01
CVE-2025-2331	GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure — GiveWP – Donation Plugin and Fundraising PlatformCWE-200	5.3	Medium	2025-03-22
CVE-2025-2025	Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function — GiveWP – Donation Plugin and Fundraising PlatformCWE-862	6.5	Medium	2025-03-15
CVE-2025-0912	GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection — GiveWP – Donation Plugin and Fundraising PlatformCWE-502	9.8	Critical	2025-03-04
CVE-2025-1291	Gutenberg Blocks by Kadence Blocks <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'icon' — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-79	6.4	Medium	2025-03-01
CVE-2025-22633	WordPress Give – Divi Donation Modules plugin <= 2.0.0 - Sensitive Data Exposure vulnerability — Give – Divi Donation ModulesCWE-538	5.8	Medium	2025-02-23
CVE-2025-1402	Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion — Event Tickets and RegistrationCWE-862	5.3	Medium	2025-02-21
CVE-2024-13457	Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure — Event Tickets and RegistrationCWE-284	5.3	Medium	2025-01-30
CVE-2025-24537	WordPress The Events Calendar plugin <= 6.7.0 - Cross Site Request Forgery (CSRF) vulnerability — The Events CalendarCWE-352	5.4	Medium	2025-01-27
CVE-2024-11090	Membership Plugin – Restrict Content <= 3.2.13 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure — Membership Plugin – Restrict ContentCWE-200	5.3	Medium	2025-01-26
CVE-2025-24753	WordPress Kadence Blocks plugin <= 3.3.1 - Broken Access Control vulnerability — Gutenberg Blocks by Kadence BlocksCWE-862	4.3	Medium	2025-01-24
CVE-2024-12118	The Events Calendar <= 6.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting — The Events CalendarCWE-79	6.4	Medium	2025-01-23
CVE-2025-22777	WordPress GiveWP Plugin <= 3.19.3 - PHP Object Injection vulnerability — GiveWPCWE-502	9.8	Critical	2025-01-13
CVE-2024-12877	GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2 - Unauthenticated PHP Object Injection — GiveWP – Donation Plugin and Fundraising PlatformCWE-502	9.8	Critical	2025-01-11
CVE-2024-12304	Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.4.2 - Authenticated (contributor+) Stored Cross-Site Scripting via Button Link — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-79	6.4	Medium	2025-01-11
CVE-2024-38762	WordPress Event Tickets and Registration plugin <= 5.11.0.4 - Cross Site Request Forgery (CSRF) vulnerability — Event TicketsCWE-352	4.3	Medium	2025-01-02

This page lists every published CVE security advisory associated with stellarwp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

stellarwp — Vulnerabilities & Security Advisories 115